In: Nursing
Massachusetts General Hospital settles potential HIPAA
violations
Large hospital system to improve policies and procedures
safeguarding patient information
The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today.
Mass General, one of the nation’s oldest and largest hospitals, signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to protect the privacy of patient information through administrative, physical and technical safeguards at all times.
“We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information,” said OCR Director Georgina Verdugo.
The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009. OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.
The impermissible disclosure of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. These documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train that were never recovered.
Mass General also agreed to enter into a Corrective Action Plan (CAP), which requires the hospital to:
Develop and implement a comprehensive set of policies and
procedures that ensure PHI is protected when removed from Mass
General’s premises;
Train workforce members on these policies and procedures; and
Designate the Director of Internal Audit Services of Partners
HealthCare System Inc. to serve as an internal monitor who will
conduct assessments of Mass General’s compliance with the CAP and
render semi-annual reports to HHS for a 3-year period.
“To avoid enforcement penalties, covered entities must ensure they
are always in compliance with the HIPAA Privacy and Security
Rules,” said Verdugo. “A robust compliance program includes
employee training, vigilant implementation of policies and
procedures, regular internal audits, and a prompt action plan to
respond to incidents.”
1.Summary Details of the Violation: (Include all pertinent
information)
2.What part (or parts) of the HIPAA Law was violated?
3.Penalty Given:
4.What actions could have been taken to avoid the violation? (Be
specific)
5.What steps will you take as a healthcare provider to avoid
violations of the HIPAA Law? (Be specific)
5. To avoid the violation of the HIPAA Law following steps are taken as a health care provider:-